Closed jan-cerny closed 4 years ago
yuumasato
commented
4 years ago @jan-cerny Also update the generate-dockerfile.py to download RHEL8 CVE feed.
Could you provide some instructions to test?
I've generated a scanning container with updated openscap-cpe-oval.xml and ssg-rhel8-ds.xml, but could not scan registry.redhat.io/ubi8, it says that it is not supported.
Scan of registry.redhat.io/ubi7worked.
jan-cerny
commented
4 years ago @jan-cerny Also update the generate-dockerfile.py to download RHEL8 CVE feed.
Yes, nice catch, I will do that.
Could you provide some instructions to test?
I have done it this way:
Get a RHEL 7 VM using my favorite tool, enable extras repository.
Install atomic, docker.
docker pull and atomic install the rhel7/openscap container
I used the attached dockerfile to build a new image where you use rhel7/openscap as a base image and inserted ssg-rhel8-ds.xml and RHEL8 CVE feed and replaced the following files by updated new versions:
tag the new image with the same tag as old image
I admit it's not a proper test but it was faster than RPM builds of all affected packages.
I've generated a scanning container with updated openscap-cpe-oval.xml and ssg-rhel8-ds.xml, but could not scan registry.redhat.io/ubi8, it says that it is not supported. Scan of registry.redhat.io/ubi7worked.
That's unfortunate, it worked for me.
Adds RHEL8 CVE feeds and RHEL8 SSG datastream. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1777868